b'Pension Benefit Guaranty Corporation\n   Office of Inspector General\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS\nApril 1,2010 - September 30, 2010\n\x0c\x0c                              Pension Benefit Guaranty Corporation\n                                                               Office of Inspector General\n                                                 1200 K Street, NW, Washington, DC 20005-4026\n\n\n\t\t\t\t\t\t\t\t\t                                                                              January 7, 2011\t\n\n\nThe Board of Directors\nPension Benefit Guaranty Corporation\n\n During the six month period covered by this report, the PBGC Office of Inspector General addressed a\nrange of issues including information technology, financial reporting, and pension plan terminations.\nWe issued two reports with nine recommendations for improvement, completed two investigations,\nresolved 45 complaints, and continued investigative work on 3 cases that were previously accepted for\nprosecution by U.S. Attorneys\xe2\x80\x99 offices.\n\nFederal agencies have been called upon to enhance the attention paid to risk and controls. The\nmyriad requirements of OMB Circulars A-123 and A-130, the Federal Managers\xe2\x80\x99 Financial Integrity\nAct (FMFIA) of 1982 and the Federal Information Security Management Act (FISMA) of 2002, as well\nas other guidance relating to accountability and transparency, all share the objective of enhancing\nan agency\xe2\x80\x99s risk management and ensuring that an agency\xe2\x80\x99s response to risk provides reasonable\nassurance that the organization will achieve its strategic objectives.\n\nThe reports issued during this period and our ongoing audit work share a common focus on risk and\nrisk management. For example:\n\n \xe2\x80\xa2\t In our report on Authorizations to Operate PBGC Information Systems, we explained that PBGC\n    has been unable to determine the risk associated with weaknesses in its information technology\n    systems. As a result, PBGC senior management officials do not have a valid basis on which to\n    authorize continued operations of PBGC\xe2\x80\x99s automated systems. Nevertheless, the Corporation\n    continues to rely on these systems for all aspects of its operations.\n \xe2\x80\xa2\t Our audit of the Actuarial Calculation Toolkit (ACT) disclosed that the personally identifiable\n    information for approximately 1 million participants is currently at risk. This situation occurred\n    when PBGC determined the level of risk associated with ACT, incorrectly classifying it as a minor\n    system. As a result of the incorrect assessment of risk, the Corporation did not perform the\n    security risk assessment mandated by federal standards or take needed actions to mitigate risk.\n \xe2\x80\xa2\t As part of our review of PBGC\xe2\x80\x99s draft document titled Major Asset Allocation Transitions, we shared\n    observations and suggestions, including the need to address specific investment-related risks\n    and associated mitigations. Subsequent to this six-month report period, but before we issued\n    this Semiannual Report, PBGC adopted many of our suggestions relating to risk and added a\n    requirement for a transition implementation plan to include an analysis of pertinent risks and\n    identify specific mitigating measures.\n\x0c During the six month period, we continued to work closely with PBGC management to address\nopen audit recommendations. A total of 47 recommendations were closed during the period,\nleaving 163 recommendations yet to be addressed. PBGC reports that it plans to complete many\nof these recommendations in the near future, with more than half (82) scheduled to be completed\nwithin the next six month period. Some recommendations will take far longer to fully implement.\nFor example, certain recommendations relating to PBGC\xe2\x80\x99s information technology security are not\nscheduled for completion until 2015. It is important that PBGC ensure effective interim measures\nto mitigate risks until final action can be taken.\n\nSincerely,\n\n\n\n\nRebecca Anne Batts\nInspector General\n\x0cTable of Contents\nLetter to the Board of Directors\n\nExecutive Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\t\n\t     The Pension Benefit Guaranty Corporation\n\t     The Office of Inspector General\n\nOIG\xe2\x80\x99s Focus on Challenges Facing PBGC\n\nOIG\xe2\x80\x99s Audits and Investigations of PBGC\xe2\x80\x99s Information Security . . . . . . . . . 5\n\t\n\t     Authorization to Operate PBGC Information Systems\n\t     Controls to Better Protect Participant Personally Identifiable Information\n\t     Corrective Actions in Response to OIG\xe2\x80\x99s Investigative Management Advisories\n\t     Information Technology and Corrective Action Plans\n\nCongressional Request Leads to New Audit Work  . . . . . . . . . . . . . . . . . . . .  .11\n\t\n\t     Congressional Request: PBGC\xe2\x80\x99s Handling of UAL Pension Plan Terminations\n\n\nProgress in Reducing the Backlog of Unimplemented Audit\nRecommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  .13\n\nSignificant Ongoing Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  .16\n\t\n\t     Request from Special Committee on Aging to Evaluate PBGC\xe2\x80\x99s Preparedness for a\n        Potential Workload Influx\n\t     Congressional Request: Evaluation of PBGC\xe2\x80\x99s Actions in Processing Certain\n        Minnesota Steelworker Plans\n\t     OIG\xe2\x80\x99s Annual Audits of the Financial Statements\n\t     Assessment of PBGC Compliance with FISMA\n\t     Review of PBGC\xe2\x80\x99s Proposed Investment Policy implementation Guidance\n\nOther OIG Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19\n\t\n\t     Access to Information\n\t     Management Decisions\n\t     Audit Peer Review Results\n\n\n\n\n                                        Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010                                    iii\n\x0c     Other OIG Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21\n\n     Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23\n     \t\n     \t     Cross-Reference to Reporting Requirements of the Inspector General Act\n     \t     Summary of Audit and Investigative Activities\n     \t     Results of Reports Issued\n     \t     Summary of Reports Older Than 6 Months for Which Management\n              Decision Has Not Been Achieved\n     \t     Previously Reported Significant Recommendations for Which Corrective\n              Action Has Not Been Completed\n\n\n\n\nIV                            PBGC Office of inspector general\n\x0cExecutive Summary\nThe Semiannual Report to Congress summarizes the activities and accomplishments\nof the Pension Benefit Guaranty Corporation (PBGC) Office of Inspector General (OIG)\nfor the period April 1, 2010 through September 30, 2010. During this reporting period,\nour work focused primarily on financial reporting, information technology security, and\npension plan termination processes.\n\n \xe2\x80\xa2\t Our report on authorizations to operate (ATO) PBGC information systems explained\n    that the Corporation continues to rely on its automated systems for all aspects\n    of its operations, despite PBGC\xe2\x80\x99s inability to determine the risks associated with\n    weaknesses in its information technology systems (see pages 5 -7.)\n \xe2\x80\xa2\t Through work initiated as a result of a whistleblower complaint, we determined the\n    personally identifiable information for approximately 1 million plan participants\n    is currently at risk because PBGC has not implemented adequate controls in its\n    Actuarial Calculation Toolkit (see pages 7-8).\n \xe2\x80\xa2\t In response to a Congressional request, we evaluated PBGC\xe2\x80\x99s handling of the 2005\n    termination of the United Airlines (UAL) pension plans and found PBGC took many\n    actions to protect worker and retiree interests. While responding to the request, we\n    also found serious deficiencies in PBGC\xe2\x80\x99s plan asset and participant data audits for\n    the UAL plans and initiated evaluations that will be completed in the near future (see\n    pages 11-12).\n\nHighlights of our follow-up on PBGC\xe2\x80\x99s progress in addressing findings from prior audits\nand investigations, include:\n\n \xe2\x80\xa2\t PBGC made good progress in reducing the backlog of unimplemented audit\n    recommendations by closing 47 of the 201 recommendations that were open as of\n    April 1, 2010.\n \xe2\x80\xa2\t More than 60% of the recommendations that remain open relate to needed\n    improvements in information technology and contracting.\n \xe2\x80\xa2\t PBGC expects to close more than half of its open recommendations in the next six\n    months.\n \xe2\x80\xa2\t PBGC took some corrective actions to improve security and protect confidential\n    information in response to investigative management advisories.\n\nWe will continue to monitor the completion of recommendations relating to PBGC\xe2\x80\x99s\ninformation technology security, scheduled for completion in 2015.\n\nAs of September 30, 2010, much of our audit work was nearing completion (and was\nissued prior to this report\xe2\x80\x99s submission to Congress), including evaluating PBGC\xe2\x80\x99s\npreparedness for a potential workload influx, the annual audits of the PBGC\xe2\x80\x99s financial\nstatements, and PBGC\xe2\x80\x99s compliance with the Federal Information Security Act (FISMA).\nOther ongoing work includes evaluation of PBGC\xe2\x80\x99s actions in processing certain\nMinnesota Steelworker plans, and review of PBGC\xe2\x80\x99s proposed investment policy\nimplementation guidance and its written guidance for the securities lending program.\n\n\n\n                            Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010        1\n\x0c2   PBGC Office of inspector general\n\x0cIntroduction\nThe Pension Benefit Guaranty Corporation\nThe Pension Benefit Guaranty Corporation (PBGC or the Corporation) was established\nunder Title IV of the Employee Retirement Income Security Act of 1974 (ERISA),\nas amended (29 U.S.C. \xc2\xa7\xc2\xa7 1301-1461), as a self-financing, wholly-owned Federal\ngovernment corporation to administer the pension insurance program. ERISA requires\nthat PBGC: (1) encourage the continuation and maintenance of voluntary private pension\nplans, (2) provide for the timely and uninterrupted payment of pension benefits to\nparticipants and beneficiaries, and (3) maintain premiums at the lowest level consistent\nwith carrying out PBGC\xe2\x80\x99s obligations.\n\nFor about 44 million Americans, PBGC provides assurance that their retirement benefits\n                                                                                                      PBGC Board\nwill be paid, up to a statutory limit. PBGC protects the pensions of participants in certain\ndefined benefit pension plans (i.e., plans that promise to pay definitely determinable             Responded Promply\nretirement benefits). Such defined benefit pension plans may be sponsored individually\n                                                                                                     to Our Interim\nor jointly by employers and unions. PBGC is now responsible for the pensions of about\n1.5 million people.                                                                                       Report\n\nDuring FY 2010, PBGC managed about $71.19 billion in assets and paid about $5.6 billion\nin benefits to almost 801,000 retirees and beneficiaries. The Corporation reports having\nsufficient liquidity to meet its obligations for a number of years, despite a cumulative       PBGC paid about\ndeficit of $23 billion from the single-employer and multiemployer programs. Neither\n                                                                                               $5.6 billion in\nprogram at present has the resources to satisfy all of the benefit obligations already\nincurred, much less future obligations likely to be assumed.                                   benefits to almost\n\nPBGC\xe2\x80\x99s governance structure comprises the Board of Directors, their Board                      801,000 retirees and\nRepresentatives, a Presidentially-appointed Director, and Congressional oversight. Other       beneficiaries during\nelements of governance include PBGC\xe2\x80\x99s system of internal control, its clearly articulated\nauthority to act, and the policies and procedures under which PBGC operates. PBGC              FY 2010.\ngovernance is complex and requires those who are charged with its oversight to view the\nCorporation from a number of differing perspectives. Oversight by the PBGC Board, PBGC\nmanagement and the OIG is critical to effective corporate governance.\n\n\nThe Office of Inspector General\nOur Office of Inspector General (OIG) was created under the 1988 amendments to the\nInspector General Act of 1978. We provide an independent and objective voice that helps\nthe Congress, the Board of Directors, and PBGC protect the pension benefits of American\nworkers. Like all Offices of Inspector General, the PBGC OIG is charged with providing\nleadership and recommending policies and activities designed to prevent and detect\nfraud, waste, abuse, and mismanagement; conducting and supervising independent\naudits and investigations; and recommending policies to promote sound economy,\nefficiency, and effectiveness.\n\n\n\n                                Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010      3\n\x0c                             To provide value, we focus our work on the challenges facing PBGC. We strive to target\n                             the highest risk areas and emphasize timely reporting of results. We determine what we\n                             will investigate and audit and how we will conduct those investigations and audits. We\n                             determine our own priorities and have had our own independent legal counsel since\n                             1990. Our audit and investigative staff is competent and experienced, with professional\n                             backgrounds in other Offices of Inspector General, independent accounting firms, and\nOIG independently            federal criminal investigative agencies. We independently respond to Congressional\nresponds to                  requests and initiate contact with Congress, as warranted.\n\nCongressional                The OIG is in full compliance with the Quality Standards for Federal Offices of Inspector\nrequests and initiates       General, published by the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) and\n                             the Executive Council on Integrity and Efficiency (ECIE). Our audit work is performed\ncontact with Congress,       in compliance with Generally Accepted Government Auditing Standards, issued by\nas warranted                 the Comptroller General of the United States, and our investigations are performed in\n                             compliance with PCIE and ECIE Quality Standards for Investigations.\n\n                             The PBGC OIG is organizationally independent. The Inspector General reports directly\n                             to the highest level of PBGC governance, the PBGC Board and to Congress. In executing\n      Report\n                             our independent oversight role, we perform a range of legally-mandated work (e.g.,\n   to Our Interim            the annual financial statement audit and the annual Federal Information Security\n                             Management Act review) as well as a body of discretionary work.\nResponded Promply\n\n    PBGC Board\n\n\n\n\n                         4   PBGC Office of inspector general\n\x0cOIG\xe2\x80\x99s Focus on Challenges\nFacing PBGC\nBetween April 1, 2010 and September 30, 2010, the Pension Benefit Guaranty\nCorporation (PBGC) Office of Inspector General (OIG), focused on three priority areas:\nfinancial reporting, information technology security, and pension plan termination\nprocesses. We issued two audit reports and two reports of investigation. In response to\na Congressional request, we reviewed PBGC\xe2\x80\x99s handling of the 2005 termination of United\nAirline\xe2\x80\x99s pension plans. Our work resulted in the initiation of a follow-on audit of PBGC\xe2\x80\x99s\nplan asset and participant data audits of these pension plans. We also initiated one new\ninvestigation and closed 47 investigations and complaints. As of September 30, 2010, we\nare actively working three criminal cases with various U.S. Attorneys\xe2\x80\x99 offices.                        PBGC Board\n\n                                                                                                  Responded Promply\n\n                                                                                                      to Our Interim\nOIG\xe2\x80\x99s Audits and Investigations of PBGC\xe2\x80\x99s\nInformation Security                                                                                      Report\n\n\nBecause of PBGC\xe2\x80\x99s long-standing and systemic information technology (IT) weaknesses,\nwe continued our focus on information technology security during the six month\n                                                                                                  OIG continued work\nperiod. In our prior report to Congress, we had reported that our FY 2009 financial\nstatement audits included an adverse opinion on internal control, based on significant            to identify and correct\nIT weaknesses that posed an increasing and substantial risk to PBGC\xe2\x80\x99s ability to carry out\n                                                                                                  IT weaknesses which\nits mission. (see Audit of the Pension Benefit Guaranty Corporation\xe2\x80\x99s Fiscal Year 2009 and\n2008 Financial Statements, AUD-2010-1/FA-09-64-1 (http://oig.pbgc.gov/audit/2010/pdf/             pose threats to PBGC\xe2\x80\x99s\nFA-09-64-1.pdf ).\n                                                                                                  ability to carry out its\nRemediating these serious deficiencies will require time. We recently issued two audit            mission.\nreports, described below, that address identified shortcomings in PBGC\xe2\x80\x99s information\ntechnology security. Further, the financial statement and Federal Information Security\nManagement Act (FISMA) audit work that was ongoing as of September 30, 2010, shows\nthat some progress has occurred. The results of our audits of PBGC\xe2\x80\x99s FY 2010 financial\nstatements and of our FISMA work will be summarized in our next semiannual report.\n\n\n\nAuthorization to Operate PBGC Information Systems\nAUD-2010-8 /IT-09-70\nhttp://oig.pbgc.gov/audit/2010/pdf/IT-09-70.pdf\n\nAlthough PBGC has been unable to determine the risk associated with weaknesses in\nits information technology systems, the Corporation continues to rely on its automated\nsystems for all aspects of its operations. During our FY 2009 FISMA review, we became\naware that PBGC was operating its information technology general support systems and\nmajor applications without the necessary authorizations to operate (ATOs), as required\nby FISMA and Office of Management and Budget (OMB) Circular A-130. The\n\n\n\n                                Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010     5\n\x0c                             ATO is intended to document the official management decision made by a senior\n                             agency official to allow operation of a system and to explicitly accept the risk to agency\n                             operations, assets, or individuals based on the implementation of an agreed-upon set of\n                             security controls.\n\n                             Due to fundamental weaknesses in PBGC\xe2\x80\x99s IT infrastructure and PBGC\xe2\x80\x99s ineffective\n                             certification and accreditation (C&A) process, PBGC senior management officials did\n                             not have a valid basis on which to authorize continued operation of PBGC\xe2\x80\x99s information\n                             technology systems. We determined that out of the 14 systems, only three had a current\nPBGC must address            ATO. Without remediation of all the high and 50% of the moderate vulnerabilities, the\n                             remaining eleven systems did not have valid authorizations to operate. Specifically we\nweaknesses in its\n                             observed that:\nC&A process before\n                               \xe2\x80\xa2  PBGC continued to use systems with unremediated vulnerabilities. Some of the\nits systems can\n                                  vulnerabilities had been identified as long ago as December 2007.\nbe appropriately               \xe2\x80\xa2  \xe2\x80\x9cConditional\xe2\x80\x9d as oppopsed to \xe2\x80\x9cauthorized\xe2\x80\x9d approvals had been granted because of\nauthorized to operate.             the significant number of high and medium unresolved vulnerabilities. For nine\n                                   systems, PBGC senior officials granted a conditional ATO and allowed continued\n                                   operation although high and medium vulnerabilities had not been remediated. On\n                                   August 20, 2009, OMB issued Memorandum M-09-29 which states that OMB does\n                                   not recognize an interim authorization to operate, as doing so would be counter to\n                                   FISMA\xe2\x80\x99s goals.\n                               \xe2\x80\xa2  In December 2007, the certifying agent, information system owner, and Information\n                                  Systems Security Officer concluded that two major systems \xe2\x80\x93 My Pension Benefit\n                                  Account (MyPBA) and eTalk-Qfiniti \xe2\x80\x93 should be denied an approval to operate,\n                                  pending remediation of all \xe2\x80\x9cHigh\xe2\x80\x9d rated items and at least half of all \xe2\x80\x9cModerate\xe2\x80\x9d rated\n                                  items. For each of the systems, the reviewers had concluded \xe2\x80\x9cwe certify that the\n                                  safeguards designed, developed, and implemented have not demonstrated the\n                                  necessary security to reduce the risk of operating the aforementioned system to an\n                                  acceptable level.\xe2\x80\x9d [emphasis in original]\n\n\n                             PBGC is in a difficult position with respect to authorizing operation of its general support\n                             systems and other major applications. Because an ATO must be supported by a complete\n                             C&A document, PBGC must address weaknesses in the C&A process before its systems\n                             can be appropriately authorized. OMB guidance does not provide for agencies to issue\n                             \xe2\x80\x9cconditional\xe2\x80\x9d or \xe2\x80\x9cinterim\xe2\x80\x9d ATOs. In theory, an agency should not operate an information\n                             technology system unless it has been properly certified and accredited. In summary, our\n                             recommendations included:\n\n                               \xe2\x80\xa2\t Requesting a waiver from OMB to allow for continued operations of information\n                                  technology systems, despite the presence of unremediated vulnerabilities and the\n                                  absence of an effective certification and accreditation process.\n                               \xe2\x80\xa2\t Developing a comprehensive corrective action plan to remediate all the high and\n                                  moderate vulnerabilities remaining on the PBGC network.\n\n\n\n                         6   PBGC Office of inspector general\n\x0c  \xe2\x80\xa2\t Ensuring that an accountable individual takes ownership and provides oversight of\n     the remediation process and validates corrective actions are completed by the target\n     dates.\n  \xe2\x80\xa2\t Ensuring that all ATOs are updated accurately to reflect the current system security\n     state and status of the Plan of Action and Milestones.\n\n\nPBGC agreed with three of the four recommendations. With respect to our\nrecommendation that PBGC seek a formal waiver from OMB, PBGC disagreed with this\nrecommendation and proposed an alternative. PBGC stated it has briefed OMB and OMB\nhas not requested that PBGC apply for a waiver. PBGC noted its commitment to keeping\nits stakeholders apprised of progress as the plans are implemented. We accepted PBGC\xe2\x80\x99s\nproposed alternative corrective action. We will continue to monitor PBGC\xe2\x80\x99s progress in\ncompleting new authorizations to operate.\n\n\nPBGC Needs to Improve Controls to Better Protect Participant\nPersonally Identifiable Information (PII)\nAUD-2010-09/ IT-09-67\nhttp://oig.pbgc.gov/audit/2010/pdf/IT-09-67.pdf\n\nWe found that the personally-identifiable information (PII) for approximately 1 million\nparticipants is currently at risk because PBGC has not implemented adequate controls\nin its Actuarial Calculation Toolkit (ACT). A whistleblower complaint alleged that the PII\n                                                                                                  Our report indicated\nof participants in terminated pension plans was unprotected because PBGC was using\nan unsecured application that did not comply with applicable information technology               PBGC\xe2\x80\x99s actuarial\nstandards.\n                                                                                                  application lacks\nACT captures and stores PII information, such as name, Social Security Number, hire               adequate controls\ndate and retirement date. Based in Microsoft, it utilizes customized features of Excel and\nAccess to perform the calculation of an individual participant\xe2\x80\x99s final pension benefit -- a       over the PII of plan\ncore function for PBGC and one that is necessary to ensure the agency can adequately              participants.\nmeet its mission. Individual benefit calculations are performed by using Microsoft Excel\nspreadsheets and participant data is stored in Microsoft Access files, a small database\nsystem, which allows users to create databases with minimum security features.\n\nBetween 1996 to 2004, ACT served as PBGC\xe2\x80\x99s primary valuation system. In 1999, PBGC\nrecognized a number of drawbacks with the spreadsheet approach and began the\nprocess to identify and procure a new valuation system. Eventually, PBGC selected Ariel,\na valuation system developed by a Canadian firm, to replace ACT. PBGC management\ninitially believed that Ariel would improve the timeliness of benefit determinations\nand improve the reliability and security of participant data. However, in 2008, PBGC\nconcluded that Ariel was requiring so many resources, in terms of both staff time and\nmoney (more than $31 million), that the Corporation decided to begin the process of\ntransitioning pension plan participant information from Ariel back to ACT.\nWhen the transition from the new system back to the old software occurred, PBGC\nshould have, at a minimum, completed a risk assessment, security plan and privacy\n\n\n\n                                Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010     7\n\x0c                               impact assessment. However, because the risks associated with ACT were incorrectly\n                               determined, with a resulting classification as a minor system - \xe2\x80\x9ca tool kit\xe2\x80\x9d - the\n                               Corporation did not perform the security assessment mandated by federal standards or\n                               take needed actions to mitigate risk. We recommended that PBGC:\n\n                                 \xe2\x80\xa2  Identify all Microsoft Access files that are not password protected and immediately\n                                    implement password and access controls to ensure the protection of participant PII.\n                                 \xe2\x80\xa2  Reclassify ACT as a major system and complete a Certification and Accreditation\n                                    review based on FIPS 199, National Institute of Standards and Technology (NIST)\nPBGC is taking steps to             standards and OMB guidance including risk identification, assessment and\n                                    mitigation.\naddress vulnerabilities\n                                 \xe2\x80\xa2  Review the facts surrounding PBGC\xe2\x80\x99s incorrect classification of ACT as a minor\nin ACT.                             application and document a determination of whether additional controls over the\n                                    classification process are needed.\n                                 \xe2\x80\xa2  Conduct scanning on a periodic basis and timely mitigate vulnerabilities in\n                                    accordance with NIST guidance.\n                                 \xe2\x80\xa2  Implement encryption on all PBGC laptops and storage media that handle PII.\n\n\n                               PBGC concurred with the report findings and recommendations, informing OIG that\n                               management has already completed steps to resolve one of the recommendations by\n                               instituting password protection for the 584 databases in ACT that contain PII.\n\n\n                               Corrective Actions in Response to OIG\xe2\x80\x99s Investigative\n                               Management Advisories\n\n                               Security Breach - Protected Data Exposure\n\n                               During the previous SARC period, we reported on an investigation of a PBGC employee\n                               who transferred personally identifiable information for over 2200 plan participants from\n                               a flash drive to a CD via a Kinkos\xe2\x80\x99 kiosk. Our investigation revealed that an employee\n                               received a flash drive that was not authorized for use on the PBGC network. The\n                               employee was incorrectly instructed by an IT security employee to use Kinkos to transfer\n                               the information to a PBGC approved electronic storage device so that it could be\n                               checked for malicious software. We determined that this represented a serious internal\n                               control concern for the PBGC because of the risk associated with transferring data via\n                               external vendors. A management advisory was issued to document our concerns and\n                               needed actions.\n\n                               PBGC took appropriate corrective action in response to our investigation. Steps taken\n                               included:\n\n                                 \xe2\x80\xa2  Developing and publishing written procedures to ensure safe transfer of data from\n                                    electronic storage devices;\n\n\n\n                          8   PBGC Office of inspector general\n\x0c  \xe2\x80\xa2  Setting up a dedicated personal computer to be used if PBGC receives data in a form\n     that may pose a risk; and\n  \xe2\x80\xa2  Establishing internal controls intended to ensure that sensitive data is kept safe\n     during electronic transfer.\n\n\nPotential Security Breach at the Continuation of Operations (COOP) Site\n\nDuring the previous SARC period, we reported on an investigation of an alleged security\nbreach that had occurred at a remote PBGC location. Our physical security inspection of\nthe site showed that no breach had occurred, although a hard drive had been removed\nfrom a server and never restored. Our investigation identified several inventory and\ninternal control issues at the facility. Most importantly, the onsite network administrators\nwere unable to identify which specific drive was missing, who had removed it and\nif one of the uninstalled drives found in the server room was the removed drive. A\nmanagement advisory was issued to document our concerns and needed actions.\n\nWe revisited the COOP site to determine the effectiveness of PBGC\xe2\x80\x99s corrective actions\n                                                                                               PBGC took steps to\nin to our management advisories. We noted that the Corporation had developed and\nimplemented security procedures to safeguard hard drives and that an inventory log of          correct certain IT\nspare hard drives had been established.\n                                                                                               security weaknesses at\n\n                                                                                               PBGC\xe2\x80\x99s COOP site.\nInformation Technology and Corrective Action Plans\n\nAs reported in our prior semiannual report, PBGC is in the process of developing a\nseries of Corrective Action Plans (CAPs) to address the systemic IT weaknesses reported\nin our internal control and FISMA reports. Importantly, PBGC has committed to build\nand manage security controls to an appropriate NIST standard. Further, PBGC made\nthe decision to enter into an interagency agreement with the Bureau of Public Debt\nto leverage its expertise in security control. Our ongoing work shows that PBGC is\nbeginning to actively address serious information technology issues and the substantial\nrisks they pose for PBGC\xe2\x80\x99s ability to carry out its mission.\n\nThe Corporation has embarked on a coherent approach to resolving and correcting\nfundamental information technology weaknesses. Its multi-year corrective action plans\nare intended to address security issues at the root cause level. The corrective action\nplans are an important first step that reflects the priority that PBGC leadership places on\nthis critical issue. However, PBGC\xe2\x80\x99s realistic assessment is that a timeframe of between\nthree and five years is needed to achieve the objectives of the PBGC\xe2\x80\x99s plans. According\nto PBGC\xe2\x80\x99s schedule, corrective action for many of OIG\xe2\x80\x99s recommendations will not be\ncomplete until 2015. Specifically, over the next 3 to 5 years, PBGC\xe2\x80\x99s plans call for the\nfollowing:\n\n  \xe2\x80\xa2  An infrastructure compliant with NIST and FISMA standards,\n  \xe2\x80\xa2  An improved security program;\n\n\n\n                                 Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010     9\n\x0c                                \xe2\x80\xa2  Lower cost and a less complex environment;\n                                \xe2\x80\xa2  Decreased reliance on contract personnel; and\n                                \xe2\x80\xa2  A holistic approach to address audit recommendations.\n\n\n                              During this six month reporting period, PBGC reported to us that it entered into an\n                              interagency agreement with the Bureau of Public Debt\xe2\x80\x99s Information Systems Security\n                              Line of Business to provide the following services:\n\n\n                                \xe2\x80\xa2  Examine current system boundaries and reclassify PBGC\xe2\x80\x99s FISMA inventory;\n                                \xe2\x80\xa2  Update the Information Security Handbook;\n                                \xe2\x80\xa2  Reexamine and document the common controls;\n                                \xe2\x80\xa2  Assist in developing a timeline for the Certification and Accreditation of PBGC\nIn its efforts to                  systems;\nstrengthen its IT               \xe2\x80\xa2  Document the Authority to Operate those systems; and\n\nprocesses, PBGC                 \xe2\x80\xa2  Assist in the Certification and Accreditation review of each system.\n\nentered into\n                              PBGC expects that its plans will resolve fundamental weaknesses in the PBGC\nan interagency                information technology infrastructure. Current PBGC leadership has been\n                              straightforward in acknowledging the challenges it faces in revitalizing PBGC\xe2\x80\x99s\nagreement with the\n                              information technology processes. Implementing the corrective action plans will be\nBureau of Public Debt.        difficult and time-consuming. Some of PBGC\xe2\x80\x99s challenges, like the continuous stream of\n                              new and ever-changing federal requirements, are shared by all federal entities. Others\n                              are unique to PBGC. For example, PBGC still has an acting Chief Information Officer, PBGC\n                              system security expertise is still maturing, and trust-building is still a work-in-process for\n                              the office that manages PBGC\xe2\x80\x99s information technology. Strong leadership and effective,\n                              persistent oversight, from within the organization as well as from the outside, will be\n                              needed if PBGC is to ensure the security of the information technology systems that\n                              support the PBGC mission.\n\n\n                              Congressional Request Leads to New Audit Work\n                              While conducting work to respond to a request from Representative George Miller (D.\n                              CA), Chairman of the House Committee on Education and Labor (discussed below), we\n                              found that the contractors charged with conducting the plan asset audits for the four\n                              United Airlines defined benefit plans did not exercise due professional care in their\n                              work. Further, we found that PBGC did not comply with its own protocols in conducting\n                              these audits that are designed to determine the fair market value of plan assets at the\n                              date of plan termination, a value that is important in determining the benefit level\n                              of participants. PBGC did not properly oversee the work of the contractor and failed\n                              to identify or follow-up on serious and obvious errors and omissions in the work. We\n                              found similar shortcomings in the United Airlines participant data audits, which were\n                              performed by same contractor and under the same lax control environment.\n\n\n\n\n                         10   PBGC Office of inspector general\n\x0cWe determined that the issues surrounding the contractor\xe2\x80\x99s inadequate audits were\nso significant that additional, more detailed evaluation was warranted; we initiated\nan evaluation of PBGC\xe2\x80\x99s plan asset and participant data audits for the United Airlines            OIG\xe2\x80\x99s current work\nplans. Our next semiannual report will describe our findings and recommendations for              includes evaluations\nimprovements in PBGC\xe2\x80\x99s oversight of the plan asset audit and the participant data audit\nprocesses.                                                                                        of PBGC\xe2\x80\x99s plan asset\n\n                                                                                                  and participant data\n\nCongressional Request: PBGC\xe2\x80\x99s Handling of UAL Pension                                             audits for four United\nPlan Terminations                                                                                 Airlines plans.\nhttp://oig.pbgc.gov/reports/testimony/Miller_UAL_review.pdf\n\nIn late December 2009, Chairman Miller of the House Committee on Education and\nLabor requested that our office review the circumstances surrounding PBGC\xe2\x80\x99s handling\nof the 2005 termination of four United Airlines pension plans. We found that PBGC took\naction to protect worker and retiree interests. The deficiencies we found in the plan asset\naudits, however, constituted a serious failure in the execution of PBGC\xe2\x80\x99s protocols. Except\nfor those issues, nothing came to our attention to cause us to believe that PBGC had not\ncomplied with its own protocols or that its established protocols were not adequate, as\nlong as the Corporation ensures careful execution.\n\nUAL sponsored a number of single-employer pension plans \xe2\x80\x93 four were significantly\nunderfunded, including plans for pilots, ground employees, flight attendants, and\nthe management, administrative and public contact employees. Under the Employee\nRetirement Income Security Act of 1974 (ERISA), as amended, PBGC insures benefits in\ncertain defined benefit pension plans sponsored by private sector employers, such as the\nUAL plans. ERISA establishes the statutory scheme for termination of single-employer\nplans when certain conditions occur, such as if the plan will be unable to pay benefits\nwhen they are due or the plan\xe2\x80\x99s future liabilities are reasonably expected to cause an\nunreasonably increased long-run loss to PBGC. At the time PBGC instituted proceedings\nto terminate the four UAL pension plans, the cumulative underfunding was estimated to\nby $10.4 billion. That is, the plans only had $6.8 billion in assets to pay about $17.2 billion\nin promised pension benefits. Under ERISA, $13.8 billion of benefits were guaranteed; of\nthat amount, about $7 billion was unfunded. At the beginning of the fiscal year in which\nthe UAL plans were terminated, PBGC\xe2\x80\x99s own deficit was $23.5 billion.\n\nFrom our review, we observed that PBGC officials and staff took actions and performed\nadministrative steps that protected the worker and retiree interests, including applying\nregulations and established processes to implement ERISA\xe2\x80\x99s criteria for terminating and\ntrusteeing plans. Among the actions that PBGC took were:\n\n  \xe2\x80\xa2  Analyzing and documenting whether the plans should be terminated and, if so,\n     on what date, then subjecting the analyses and termination recommendations to\n     multiple, higher-level reviews, and\n  \xe2\x80\xa2  Communicating with participants in the terminated plans, including responses to\n     individual letters and mass mailings, and large group meetings with UAL pension\n\n\n\n                                 Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010        11\n\x0c                                participants in which PBGC answered questions, addressed concerns and explained\n                                the federal pension program.\n\n\n                            Our review also included a follow-up to a prior OIG report, Review of PBGC Claims Sale\n                            (No. 2006-11/PA-0029, August 31, 2006). This report evaluated whether the process PBGC\n                            followed in hiring Deutsche Bank to market and sell PBGC\xe2\x80\x99s rights to UAL securities upon\n                            UAL\xe2\x80\x99s emergence from bankruptcy was reasonable in light of PBGC\xe2\x80\x99s governance and\nPBGC took some              industry standards for institutional investors. While the report noted that \xe2\x80\x9cthe Sale was\n                            perceived in the market as successfully executed,\xe2\x80\x9d the report also noted that PBGC failed\nactions to protect\n                            to share useful and timely information within PBGC and with the Board of Directors.\nUAL pension plan            We made recommendations that addressed PBGC\xe2\x80\x99s investment policy, governance and\n                            standard documentation. PBGC provided documentation showing they had taken many\nparticipant\xe2\x80\x99s and           actions to improve their internal and external communications, including:\nretiree\xe2\x80\x99s interests.\n                              \xe2\x80\xa2  Written Weekly Significant Activity Reports to the Board Representatives with\n                                 confidential information about significant developments in active cases and\n                                 litigation.\n                              \xe2\x80\xa2  Bi-weekly Significant Update Case meetings to executives and department directors\n                                 affected by the cases.\n                              \xe2\x80\xa2  Large case working group meetings attended by interdisciplinary agency managers\n                                 and staff who plan and prepare when a large plan is to be terminated and trusteed.\n                              \xe2\x80\xa2  Bi-weekly meetings between the General Counsel and Chief Counsel and their senior\n                                 leaders to discuss legal matters of mutual concern.\n\n\n                            While PBGC did not implement some of our recommendations, we noted that the\n                            Corporation has established protocols and processes that reduce the likelihood of future\n                            communications breakdowns similar to those that occurred during the UAL claims sale.\n\n                            We also noted an area in which PBGC could improve: there are no mandates to\n                            document discussions and negotiations between PBGC and plan sponsors. Creating a\n                            contemporaneous record of settlement and other discussions would create a complete\n                            record of the government\xe2\x80\x99s actions for the particular matter and would also preserve\n                            the facts from fading memories, differing perceptions, and lost knowledge when staff\n                            leave PBGC. We concluded that PBGC needs to develop and implement protocols for\n                            all meetings or discussions with plan sponsors that, at a minimum, require written\n                            documentation of the meetings.\n\n\n\n\n                       12   PBGC Office of inspector general\n\x0cPBGC Has Made Progress in Reducing\nBacklog of Unimplemented Audit\nRecommendations.\nAs of April 1, 2010, the beginning of the reporting period, a total of 201 audit\nrecommendations were open. Reports issued during the period added nine more\nrecommendations, bringing the total number to 210. A total of 47 recommendations\nwere closed during the period, including 17 recommendations relating to contracting\nissues and 12 recommendations relating to financial and investment issues. As shown\nby the following chart, more than half of the closed recommendations related to\ncontracting and financial management issues.\n\n\n\n\n                                                                                            PBGC closed 47 audit\n\n                                                                                            recommendations and\n\n                                                                                            continues reducing\n\n                                                                                            the backlong of\nAs of September 30, 2010, 163 audit recommendations remain open. These\n                                                                                            unimplemented audit\nrecommendations address a range of issues, from the most serious problem affecting\nPBGC to relatively minor compliance issues. In some cases, we met with PBGC officials to    recommendations.\ndiscuss management\xe2\x80\x99s reported corrective actions when we determined that what had\nbeen done was not sufficient to fully address the recommendations. As warranted, we\nprovided detailed memoranda outlining the need for additional information. Many of\nour comments related to management\xe2\x80\x99s need to test the corrective action to ensure it\nhad been fully implemented and was effective.\n\nThe following chart shows the distribution of open recommendations based on the\nsubject of the recommendation. More than 60 percent of the recommendations relate to\nneeded improvements in either information technology or contracting.\n\n\n\n\n                              Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010    13\n\x0c60 percent of\n\nPBGC\xe2\x80\x99s open audit\n\nrecommendations\n\nrelate to\n\nimprovements needed\n\nin either information\n\ntechnology or\n\ncontracting.\n\n\n\n\n                             Many of our recommendations have been open for prolonged periods of time. As shown\n                             by the following chart, more than half of the recommendations are more than two years\n                             old. Twenty-two recommendations (about 13 percent) are more than five years old; many\n                             of the recommendations address the need for improvements in contracting practices\n                             and should be implemented in the near future. Other recommendations that have\n                             persisted for more than five years address weaknesses in the PBGC\xe2\x80\x99s existing automated\n                             premium accounting system; these recommendations will likely remain open until PBGC\n                             can implement its new system for premium accounting.\n\n\n\n\n                        14   PBGC Office of inspector general\n\x0cPBGC reports that it plans to complete many of its open recommendations in the near\nfuture. As shown by the following chart, more than half (82 of 163 recommendations)\nare scheduled for completion within the next six month period. About one quarter\nof the recommendations will not be completed for at least a year, and the scheduled\ncompletion date for about 9 percent of the recommendations (15 of 163) is more than 3\nyears in the future. Certain recommendations relating to PBGC\xe2\x80\x99s information technology\nsecurity are not scheduled for completion until 2015. PBGC should ensure effective\ninterim measures to address the issues that will remain open for several years.\n\n\n\n\n                                                                                          Effective interim\n\n                                                                                          measures are needed\n\n                                                                                          to address issues that\n\n                                                                                          will remain open for\nWe are encouraged by management\xe2\x80\x99s emphasis on correcting noted deficiencies,\n                                                                                          several years.\ntesting their actions and submitting complete documentation to support closure of\nopen audit recommendations. OMB Circular A-50 notes that \xe2\x80\x9cCorrective action taken by\nmanagement on resolved findings and recommendations is essential to improving the\neffectiveness and efficiency of government operations.\xe2\x80\x9d\n\n\n\n\n                              Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010   15\n\x0c                          Significant On-Going Work\n                          Our ongoing audit work addresses some of the most critical issues facing PBGC.\n                          As of September 30, 2010, we were assessing a variety of issues, including PBGC\xe2\x80\x99s\n                          preparedness for a potential influx of pension plans and the Corporation\xe2\x80\x99s financial\n                          statements and compliance with FISMA. We also continue to address a Congressional\n                          request that asked us to review PBGC\xe2\x80\x99s actions with respect to the defined benefit plans\n                          of Minnesota steelworkers and anticipate issuance of four separate reports dealing with\n                          the various concerns that have come to our attention.\n\n\n\n                          Request from Special Committee on Aging to Evaluate\n                          PBGC\xe2\x80\x99s Preparedness for a Potential Workload Influx\n                          (EVAL-2011-01/PA-09-05)\n\n                          After September 30 but before this report was submitted, we issued our report to\nOngoing work includes     PBGC. Our work was performed in response to a request of Chairman Herbert Kohl of\nevaluating PBGC\xe2\x80\x99s         the Senate Special Committee on Aging to evaluate PBGC\xe2\x80\x99s readiness to address the\n                          potential increase in workload attributable to changes in the economy. Specifically,\npreparedness for a        Chairman Kohl asked us to evaluate whether \xe2\x80\x9cPBGC management is taking steps to\npotential workload        strategically prepare the corporation for the possible influx of such plans and their\n                          participants.\xe2\x80\x9d In general, our findings relate to the need for a more strategic approach in\ninflux.                   planning for the workload surges that, while not precisely predictable, are foreseeable.\n\n\n\n                          Congressional Request: Evaluation of PBGC\xe2\x80\x99s Processing of Certain\n                          Minnesota Steelworker Plans\n                          (Project PA-09-66)\n\n                          In response to a request from U.S. Senators Al Franken and Amy Klobuchar and\n                          Congressman James Oberstar, we initiated a review of PBGC\xe2\x80\x99s activities with regard to\n                          the Minnesota Steelworker pension plans. Our work will be reported in four separate\n                          reports, with the first report addressing the serious errors and omissions that plagued\n                          PBGC\xe2\x80\x99s efforts to determine the fair market value of plan assets for seven terminated\n                          National Steel pension plans. To its credit, PBGC leadership has already begun taking\n                          action to address the identified issues, including (1) contracting for a Certified Public\n                          Accounting (CPA) firm to re-perform the work related to these pension plans, as well as\n                          others; (2) developing a plan for how contractor work will be monitored, evaluated, and\n                          accepted; and (3) reviewing plan asset evaluations completed over the last two years,\n                          with the objective of using identified deficiencies to train reviewers and staff and to\n                          update procedures.\n\n\n\n\n                     16   PBGC Office of inspector general\n\x0cOIG\xe2\x80\x99s Annual Audits of PBGC\xe2\x80\x99s Financial Statements\n\nThe OIG is statutorily required to audit PBGC\xe2\x80\x99s annual financial statements. For FY 2010,\nwe contracted with Clifton Gunderson to audit PBGC\xe2\x80\x99s financial statements and to\ncomplete several related audits and evaluations. Audit coverage includes an assessment\nof internal controls across the Corporation, to include all financially significant systems.\nAudit planning began in early March, with much of the field work occurring during the\nsummer and fall.\n\n\n\nAudit of the Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2010 and 2009 Financial Statements\n(Project FA-10-69)\n\nAt the end of the six month period covered by this report, our financial statement audit\nwas in progress but drawing to a close. During November 2010, the OIG issued opinions\nand reports relating to the audit of PBGC\xe2\x80\x99s financial statements. The opinion on PBGC\xe2\x80\x99s\nfinancial statements is unqualified, while the opinion on internal control is not favorable,\nbased on continuing significant IT weaknesses as discussed above.\n\nOpinion on the Financial Statements \xe2\x80\x93 The objectives of our financial statements audit are\nto provide: (1) an opinion of reasonable assurance as to whether the agency\xe2\x80\x99s financial\nstatements are presented fairly in all material respects; (2) an opinion on internal control\n                                                                                               Continuing IT\nover financial reporting including the safeguarding of assets; and (3) an assessment of\ncompliance with applicable laws and regulations.                                               weaknesses affect the\n\n                                                                                               opinion on PBGC\xe2\x80\x99s\nOpinion on the Special-Purpose Financial Statements \xe2\x80\x93 We also provided an opinion on the\nCorporation\xe2\x80\x99s special-purpose financial statements, which directly link PBGC\xe2\x80\x99s audited         internal control.\nfinancial statements to the Financial Report of the United States Government prepared\nby the Department of the Treasury and audited by the Government Accountability Office.\n\nSensitive Payments Testing \xe2\x80\x93 In conjunction with the financial statement audit, Clifton\nGunderson LLP performed testing of sensitive payments, including senior level\nmanagement activities and expenses, such as compensation, travel, perquisites,\npreparation of required financial disclosure forms, and PBGC vehicle usage. Results of this\ntesting are incorporated into financial statements audit reports, as appropriate.\n\nPenetration Testing \xe2\x80\x93 In connection with the FY 2010 financial statements audit, we\ncontracted with Clifton Gunderson LLP to perform a vulnerability assessment and\npenetration testing, which included internal vulnerability assessments to discover\npossible weaknesses in PBGC\xe2\x80\x99s logical security controls and to exploit discovered\nvulnerabilities. The goal of our assessment was to determine the degree of control\nPBGC could expect an attacker to achieve after a successful penetration. During our\nassessment, we discovered live hosts residing on external and internal PBGC networks.\nWe conducted overt and covert vulnerability assessments on IP addresses in use. We\nobtained approval prior to exploitation of discovered vulnerabilities to attempt to gain\naccess to sensitive data.\n\n\n                                 Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010     17\n\x0c                            After September 30 but before this report to Congress was submitted, we briefed\n                            the Corporation on its most serious IT security vulnerabilities and provided details of\n                            the testing results for development of appropriate corrective action. Because of the\n                            sensitivity of the issues, we will issue a restricted disclosure report to PBGC management\n                            with appropriate recommendations.\n\n\n\n                            Assessment of PBGC compliance with FISMA\n\n                            In conjunction with the IT vulnerability testing, Clifton Gunderson is also conducting\n                            the annual assessment of PBGC\xe2\x80\x99s compliance with the Federal Information Security\n                            Management Act (FISMA). FISMA requires each federal agency to develop, document,\n                            and implement an agency-wide program to provide IT security for the information and\n                            information systems that support the operations and assets of the agency. FISMA also\n                            requires the agency to report in ten specific areas relating to the state of its IT security,\n                            and the OIG independently to assess the agency\xe2\x80\x99s IT security assessment. OMB has\n                            developed a mandatory template report for consistent reporting across the government.\n\nOIG conducted its\n                            An effective information security program should include accurate Certification and\nannual assessment           Accreditation (C&A) documentation, effective security awareness training, adequate\n                            contingency plan testing, periodic evaluations of IT controls and effective hardware\nof PBGC\xe2\x80\x99s compliance        and software. At the time of this report, FISMA testing was still on-going, though we\nwith FISMA.                 had reported to PBGC numerous IT weaknesses. Some, like the deficiencies in the C&A\n                            process, were reported last year and remain virtually unchanged. Others were new.\n\n                            Subsequent to the reporting period for this semiannul report, during November, 2010,\n                            OIG filed a joint report with PBGC on the current status of PBGC\xe2\x80\x99s IT security to OMB by\n                            November 15, 2010. Additionally, in early 2011 we will issue a narrative report to PBGC\n                            with details about the findings and recommendations for corrective action.\n\n\n                            Review of PBGC\xe2\x80\x99s Proposed Investment Policy Implementation\n                            Guidance\n\n                            Evaluation of Major Asset Allocation Transition Guidance\n\n                            In September, the Chief Investment Officer (CIO) requested our office review a draft\n                            document created by PBGC entitled Major Asset Allocation Transitions. After our review\n                            of this transition document, we met with the Chief Financial Officer, CIO, and Deputy CIO\n                            to share our observations and suggestions. Based on our review, there are opportunities\n                            for PBGC to leverage both the OIG\xe2\x80\x99s and PBGC\xe2\x80\x99s prior work in this area. For example,\n                            the Major Asset Allocation Transition document did not include the 14-point transition\n                            risk matrix developed earlier by PBGC and their consultants, nor did the transition\n                            document contain the six additional critical risks and associated mitigating measures\n                            OIG recommended PBGC add to its 14-point matrix. Additionally, we suggested PBGC\n                            leverage the transition guidelines and principles outlined in PBGC\xe2\x80\x99s 2009 publication, The\n                            PBGC Standard: Investment Transition Management Guidelines.\n\n\n                       18    PBGC Office of inspector general\n\x0cDevelopment of Written Guidelines for the Securities Lending Program\n\nDuring the summer of 2009, when we issued our report, written policies regarding\nthe securities lending program were virtually non-existent. PBGC has now begun the\narduous process of drafting written policy guidance regarding the investment objectives,\nrisk tolerance, and measurement standards and operations of the securities lending\nprogram. We have worked closely with PBGC, reviewing several iterations of PBGC\xe2\x80\x99s\ndraft documents and offering suggestions and edits. Because the PBGC Board has the\nauthority and responsibility for establishing and overseeing the investment policy and\nits implementation, the securities lending guidelines proposed in our report should\nbe submitted to the Board and Board Representatives for review. Final action on our\nrecommendations for guidance will not be considered complete until this has been\ndone.\n\nWe continue to work closely with PBGC management as guidance relating to major asset\nallocation transition and securities lending is being developed. The Corporation has been\n                                                                                            OIG works closely with\nresponsive to our feedback; we look forward to the resulting enhancements.\n                                                                                            PBGC management as\n\n                                                                                            the agency develops\nOther OIG Reporting\n                                                                                            guidance relating to\nAccess to Information                                                                       major asset allocation\n\n                                                                                            transition and\nThe Inspector General Act permits the Inspector General to have unfettered access\nto all agency records, information, or assistance when engaged in an investigation or       securities lending.\naudit. Whenever access to requested records, information, or assistance is unreasonably\nrefused or not provided, the Inspector General must promptly report the denial to the\nagency head. We have not been denied access nor has assistance been unreasonably\nrefused during this reporting period.\n\nManagement Decisions\n\nThe Inspector General is required to report the following about management decisions\non audit reports that occurred during this six-month period:\n\n\n \xe2\x80\xa2  There is 1 audit report for which management decision is pending (see Appendix,\n    page 26).\n \xe2\x80\xa2  There were no significantly revised management decisions.\n \xe2\x80\xa2  There were no management decisions of a material nature with which the Inspector\n    General did not agree.\n\n\n\n\n                               Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010    19\n\x0c                            Audit Peer Review Results\n\n                            In an external peer review of the PBGC OIG\xe2\x80\x99 s audit program for the year ended\n                            September 30,2009, we received the highest possible peer review rating, a rating of\n                            \xe2\x80\x9cpass.\xe2\x80\x9d  The \xe2\x80\x9cpass\xe2\x80\x9d rating means that the external reviewer determined that our system\n                            of quality control was suitably designed and our adherence to this system provided\n                            reasonable assurance that we performed work and reported results in accordance with\n                            professional standards.\n\nPBGC OIG\xe2\x80\x99s audit\n                            Government Auditing Standards require each audit organization to obtain an external\nprogram received            review of its system of quality control every three years and make the results publicly\n                            available. In addition, under the Dodd-Frank Wall Street Reform and Consumer\nthe highest possible\n                            Protection Act of 2010, the Inspector General is required to report the results of its peer\nrating from an              review in its semiannual report to Congress.\n\nexternal peer review.\n                            The peer review was conducted by the Federal Communications Commission (FCC)\n                            during the first quarter of FY 2010, with the opinion issued on January 26, 2010. A copy\n                            of this peer review is found at our website: http://oig.pbgc.gov/audit/2010/pdf/PBGC_\n                            Peer_Review_Report_2009.pdf.\n\n\n\n\n                       20   PBGC Office of inspector general\n\x0cOther Office of Inspector\nGeneral Activities\nReview of Proposed Statutory and\nRegulatory Changes\nA major responsibility of the OIG under the Inspector General Act is the independent\nreview of PBGC-proposed changes to laws and regulations. There were no significant\nPBGC statutory proposals this period, and OIG did not review any new proposed\nregulations.\n\n\nParticipation in CIGIE Training Efforts\nSenior OIG leaders participated in multiple Council of Inspectors General for Integrity and\nEfficiency training efforts, including:\n                                                                                               Strong professional\n  \xe2\x80\xa2  The IG and AIGI participated as guest speakers in three sessions of the Executive         networking was\n     Leadership Training sponsored by CIGIE. This course is taught by the American\n     University, and is attended by GS-13s and GS-14s from throughout the IG community.        the theme of our\n     Our segment focused on the value of networking within the OIG community to                presentations to the\n     achieve mission goals and objectives.\n                                                                                               IG community.\n  \xe2\x80\xa2  The IG was the guest speaker at the September commencement ceremony for\n     graduating criminal investigators from the Criminal Investigator Training Program\n     (CITP) at the Federal Law Enforcement Training Center. In her message, Ms. Batts\n     challenged the graduates to go beyond their specialized technical training and\n     develop strong professional networks. The CITP provides basic and fundamental\n     training in the techniques, concepts, and methodologies of conducting criminal\n     investigations. The OIG had one of its own graduate from the CITP in September.\n  \xe2\x80\xa2  The Special Agent-in-Charge participated on a curriculum review committee to\n     revamp the Undercover Operations Program at the Inspector General Academy.\n     Based on feedback and recommendations from a series of meetings, revisions were\n     made to the training content and methodology for implementation in FY 2011.\n\n\n\nOIG Hires New Staff\n\nDuring this period, the OIG recruited and hired eight new staff members: 5 auditors, 1\ninformation technology specialist, and 2 criminal investigators. This large number of\nrecruitments stemmed from new positions, retirements, and staff replacement. In the\nearly part of FY 2011, we anticipate completing additional recruitments. Filling these\npositions will allow our office to operate with a full complement of professional staff for\nthe first time in more than two years.\n\n\n                                 Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010    21\n\x0c                             External and Internal Professional Activities\n\n                             Various staff members participated in external and internal professional activities.\n                             Examples include:\n\n                               \xe2\x80\xa2  The IG participates in the Council of Inspectors General for Integrity and Efficiency\n                                  (CIGIE) that promotes collaboration on integrity, economy, and efficiency issues\n                                  that transcend individual agencies. Ms. Batts serves as the co-chair of the CIGIE\n                                  Information Technology Committee and as a member of the Audit Committee.\nOIG staff members\n                                  She also serves as the CIGIE delegate to the Chief Financial Officer\xe2\x80\x99s Council. In the\nactively participate              Federal Financial Regulatory Inspectors General group, she joins with other IGs to\n                                  discuss common financial concerns and the work each is doing.\nin internal and\n                               \xe2\x80\xa2\t The Assistant IG for Audits serves on  the Accounting and Audit Policy Committee\nexternal professional             (AAPC) which is a permanent committee established by the Federal Accounting\nactivities.                       Standards Advisory Board. Federal accounting standards and financial reporting\n                                  play a major role in fulfilling the government\xe2\x80\x99s duty to be publicly accountable. The\n                                  AAPC issues technical releases related to existing Federal accounting standards.\n                                  AAPC\xe2\x80\x99s technical releases are a form of authoritative guidance for generally\n                                  accepted accounting principles for Federal entities.\n                               \xe2\x80\xa2\t The Assistant IG for Investigations continues to serve as a non-voting member\n                                  of PBGC\xe2\x80\x99s Internal Control Committee, providing insight gained through his\n                                  experience as a criminal investigator to those responsible for oversight and\n                                  accountability of PBGC internal controls. Effective control systems may detect fraud\n                                  or deliberate non-compliance with policies, regulations, or laws.\n                               \xe2\x80\xa2\t The Special Agent-in-Charge participates in the Financial Fraud Enforcement Task\n                                  Force sponsored by the U.S. Department of Justice.\n                               \xe2\x80\xa2\t OIG special agents conducted fraud awareness briefings for several PBGC\n                                  departments and Field Benefit Administration (FBA) offices. The briefings are\n                                  designed to educate PBGC employees and contractors about fraud indicators, and\n                                  the OIG\xe2\x80\x99s authority and responsibilities in combating fraud, waste and abuse within\n                                  the programs and operations of PBGC.\n                               \xe2\x80\xa2\t Senior OIG leaders assisted several OIG\xe2\x80\x99s, including those at the Department of\n                                  Agriculture, National Science Foundation, and the Postal Regulatory Commission,\n                                  in the evaluation and interviews of candidates for their senior leadership positions.\n\n\n\n\n                        22   PBGC Office of inspector general\n\x0cAppendix\nCROSS-REFERENCE TO REPORTING REQUIREMENTS\nOF THE INSPECTOR GENERAL ACT\n\nThe table below cross-references the reporting requirements prescribed by the Inspector General Act of 1978, as\namended, to the specific pages in the report where they are addressed.\n\nInspector General\nAct Reference\t         Reporting Requirements\t                              Page\nSection 4(a)(2)\t       Review of legislation and regulations.\t              21\nSection 5(a)(1)\t       Significant problems, abuses, and deficiencies.\t     5-19\nSection 5(a)(2)\t       Recommendations with respect to significant \t        5-19\n\t                      problems, abuses, and deficiencies.\t\nSection 5(a)(3)\t       Prior significant recommendations on which\t          26-27\n\t                      corrective action has not been completed.\t\nSection 5(a)(4)\t       Matters referred to prosecutorial authorities.\t      24\nSection 5(a)(5)\t       Summary of instances in which information \t          19\n\t                      was refused.\t\nSection 5(a)(6)\t       List of audit reports by subject matter, showing \t 25\n\t                      dollar value of questioned costs and\n\t                      recommendations that funds be put to better use.\t\nSection 5(a)(7)\t       Summary of each particularly significant report. \t   5-18\nSection 5(a)(8)\t       Statistical table showing number of reports and \t    25\n\t                      dollar value of questioned costs.\t\nSection 5(a)(9)\t       Statistical table showing number of reports and \t    25\n\t                      dollar value of recommendations that funds be\n\t                      put to better use.\t\nSection 5(a)(10)\t      Summary of each audit report issued before this \t 28\n\t                      reporting period for which no management\n\t                      decision was made by end of the reporting period.\t\nSection 5(a)(11)\t      Significant revised management decisions.\t           19\nSection 5(a)(12)\t      Significant management decisions with which \t        19\n\t                      the Inspector General disagrees.\t\n\t\t\n\n\n\n\n                           Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010        23\n\x0cSUMMARY OF AUDIT AND INVESTIGATIVE ACTIVITIES\nFor the Six-Month Period Ending September 30, 2010\n\nAudit Reports Issued\n\t  Number of Reports\t                                              2\n\t  Number of Recommendations\t                                      9\nManagement Decisions\n\t  Open Recommendations Beginning of Period\t                    201\n\t  Opened this Period\t                                            9\n\t  Closed This Period\t                                           47\n\t  Open Recommendations End of Period\t                          163\n\t  Reports with Open Recommendations End of Period\t              38\n\nInvestigations\n\t   Pending Beginning of Period\t                                   7\n\t   Opened\t                                                        1\n\t   Closed\t                                                        2\n\t   Pending End of Period\t                                         6\nComplaints1\n\t   Pending Beginning of Period\t                                  9\n\t   Opened\t                                                      47\n\t   Closed\t                                                      45\n\t   Pending End of Period\t                                       11\nFinancial Recoveries2\n\t   Theft of Funds Recovered\t                                    $0\n\t   Court Ordered Fines, Penalties, and Restitution\t             $0\n\t   U.S. Government Property Recovered\t                          $0\nCriminal Actions2\n\t   Arrests\t                                                       0\n\t   Indictments\t                                                   0\n\t   Convictions\t                                                   0\n\nAdministrative Actions2\t                                           0\n\nReferrals\n\t   For Prosecution:\n\t\t Department of Justice\t                                          1\n\t\t Various States\xe2\x80\x99 Attorney Offices\t\n\t   Declined\t                                                      1\n\t   For Other Action:\n\t\t        PBGC Management for Corrective Action\t                   0\n     1\n      Complaints include allegations received through the hotline operation and issues resulting from proactive investigative\n       efforts.\n     2\n      Results reported for Financial Recoveries, Criminal, and Administrative Actions include both open and closed cases.\n\n\n\n\n                           24      PBGC Office of inspector general\n\x0cRESULTS OF REPORTS ISSUED\nFor the Six-Month Period Ending September 30, 2010\n                                                            Number       Questioned       Unsupported    Funds Put to\n                                                           of Reports          Costs         Costs        Better Use\n A. For which no management decision had                          10       $441,244                 $0             $0\n    been made by the commencement of the\n    reporting period.\n B. Which were issued during the reporting period.                 2\n\n\n      Authorization to Operate PBGC Information                                   $0                $0             $0\n        Systems (08/18/10)\n        AUD-2010-8 /IT-09-70\n                                                                                  $0                $0             $0\n      PBGC Needs to Improve Controls to Better\n        Protect Participant Personnally Identifiable\n        Information (09/16/10)\n        AUD-2010-09/ IT-09-67\n\n\n\n\n        Subtotal (Add A. & B.)                                    12       $441,244                 $0             $0\n\n C. For which a management decision was made                      11       $343,663                 $0             $0\n    during the reporting period.\n\n        (i) dollar value of disallowed costs                                 $37,562                $0             $0\n\n        (ii) dollar value of costs not disallowed                          $306,101                 $0             $0\n\n D. For which no management decision had been                      1         $97,581                $0             $0\n    made by the end of the reporting period.\n E.\t For which no management decision was made                     1         $97,581                $0             $0\n     within six months of issuance.\n 1\n     Unsupported costs are a subset of questioned costs.\n\n\n\n\n                              Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010        25\n\x0cPREVIOUSLY REPORTED SIGNIFICANT RECOMMENDATIONS\nFOR WHICH CORRECTIVE ACTION HAS NOT BEEN COMPLETED\n\n                                       Number of\nReport Number, Report Title and                               Significant Problems Summary of Significant\n                                       Significant\nDate Issued                                                   and Deficiencies     Recommendations\n                                       Recommendations\n96-4/23093-2                                                  Significant             PBGC needs to complete the\nAudit of the Pension Benefit                                  Deficiency:             integration of its financial\nGuaranty Corporation\xe2\x80\x99s Fiscal                                 Integrating             management systems.\nYear 1995 Financial Statements                                Financial\n03/13/1996                                                    Management              PBGC estimated completion:\nand                                                           Systems                 11/01/2013\n                                                 1\nAUD-2008-2/ FA-09-0034-2\nReport on Internal Control -\nPBGC\xe2\x80\x99s FY 2007 and 2006\nFinancial Statements Audit\n11/15/2007\n\n2003-3/23168-2                                                Signficant              PBGC needs to complete its\nAudit of the Pension Benefit                                  Deficiency:             efforts to fully implement\nGuaranty Corporation\xe2\x80\x99s Fiscal Years                           Entity-Wide             and enforce an effective\n2002 - 2001 Financial Statements                              Information             information security program.\n01/30/2003                                                    Security Program\n     and                                                      Planning &              PBGC estimated completion:\n                                                 2\nAUD-2008-2/ FA-09-0034-2                                      Management              2/28/2015\nReport on Internal Control -\nPBGC\xe2\x80\x99s FY 2007 and 2006\nFinancial Statements Audit\n11/15/2007\n\n2003-10/23177-2                                               Control weaknesses      PBGC needs to ensure that its\nReview of PBGC\xe2\x80\x99s Premium                                      undermine the           automated system produces\nAccounting System                                             quality and integrity   accurate and verifiable\n10/10/2003                                                    of reported             premium accounting data.\n                                                 3\n                                                              premium revenues.\n                                                                                      PBGC estimated completion:\n                                                                                      11/01/2013\n\n\n\n\n                     26        PBGC Office of inspector general\n\x0cPREVIOUSLY REPORTED SIGNIFICANT RECOMMENDATIONS\nFOR WHICH CORRECTIVE ACTION HAS NOT BEEN COMPLETED\n\n                                        Number of\nReport Number, Report Title and                                Significant Problems Summary of Significant\n                                        Significant\nDate Issued                                                    and Deficiencies     Recommendations\n                                        Recommendations\n2008-1/FA-0034-1                                               Significant            PBGC needs to mitigate the\nAudit of the Pension Benefit                                   Deficiency:            systemic issues related to\nGuaranty Corporation\xe2\x80\x99s Fiscal Years                            Access Contols         information access controls.\n2007 - 2006 Financial Statements\n11/15/2007                                                                            PBGC estimated completion:\n     and                                                                              10/31/2013\nAUD-2008-2/ FA-09-0034-2                         11\nReport on Internal Control -\nPBGC\xe2\x80\x99s FY 2007 and 2006\nFinancial Statements Audit\n11/15/2007\n\n\nAUD-2009-01/FA-08-49-1                                         Significant            PBGC needs to complete the\nAudit of the Pension Benefit                                   Deficiency:            design, implementation and\nGuaranty Corporation\xe2\x80\x99s Fiscal Years                            Entity-Wide            testing of security controls,\n2008 and 2007 Financial Statements                             Information Security   implement an effective\n11/13/2008                                                     Program & Planning     certification and review\n                                                  5\n   and                                                         Management             process, and correct identified\nAUD-2009-02/FA-08-49-2                                                                access control vulnerabilities.\nReport on Internal Controls \xe2\x80\x93 PBGC\xe2\x80\x99s\nFY 2008 and 2007                                                                      PBGC estimated completion:\nFinancial Statements 11/13/09                                                         2/28/2015\n\n\n\n\nThis chart complies with Section 5(a)(1), (2) and (3) of the Inspector General Act of 1978, as amended.\n\n\n\n\n                          Semiannual Report Of The Inspector General\xe2\x80\x94SEPTEMBER 2010           27\n\x0cSUMMARY OF REPORTS OLDER THAN SIX MONTHS FOR WHICH\nMANAGEMENT DECISION HAS NOT BEEN ACHIEVED\n\n                                                                                                 Anticipated\n Report and Summary                                     Reason For No Management Decision        Management\n                                                                                                   Decision\n Incurred Cost Audit, 2008-09/CA-0054 (9/30/2008)       Management decision is pending            12/30/2010\n                                                        DCAA\xe2\x80\x99s completion of its incurred cost\n                                                        audit and settlement of indirect cost\nQuestioned Costs of $97,581 for unallowable costs       rates.\nassociated with the use of unaudited indirect cost\nrates.\n\n\n\n\n                     28       PBGC Office of inspector general\n\x0c\x0c\x0c'